TRYHACKME-Jack-of-All-Trades

 

This is the write-up for TryHackMe's room Jack-of-All-Trades available here:- https://tryhackme.com/room/jackofalltrades

Task is simple to get user and roots flag. This write-up will be little different from my previous write-ups and will provides hints rather then a full blown step-by-step guide and here it goes:

1. NMAP scan reveals two ports open 22 and 80, but wait 22 in this case is HTTP and 80 is SSH.

2. Based on the browser which you are using, modify the settings temporary to allow HTTP to go to non standard port. For Firefox setting is "network.security.ports.banned.override" port 22 in about:config

3. Now go to http://IP:22. The web-page mentions a username "jack" and few images. Also check the page source which have a base64 encoded string will reveals a password which will be used later. Page source also mentions a page /recovery.php.

4. Lets browse to http://IP:22/recovery.php. A sort of password recovery page and it requires username and password. Lets try jack/password from step 3. No dice.

5. Page source of http://IP:22/recovery.php reveals another string which is base32 encoded. Used https://gchq.github.io/CyberChef/ to decode this from base32==>HextoASCii==>ROT13. This reveals a link to a image which matches an image on the main page.

6. After getting trolled, got cms.creds from the header.jpg from main page using steghide and password from step 3.

7. Use cms.creds to login to http://IP:22/recovery.php, we got a new hint to use cmd. Lets try to use ?cmd= param to do LFI. This will reveal jacks_password_list in /home directory.

8. Used hydra to brute force Jack's SSH login using password list jacks_password_list from step7.

9. SSH with the creds from step8 and in the home directory of the jack we will get user's flag in user.jpg

10. Used LinPEAS.sh(https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) and gtfobin(https://gtfobins.github.io/gtfobins/strings/)  to do privilege escalation and used /usr/bin/strings /root/root.txt to read the root flag. 

Sweet and Simple. Hope you enjoyed it!